Mod-X Central Command Level 4 [solution]

Agent apok…I don’t know how you did it, but good work! Your decryption helped us to see that the file was a registry installation file. It was used to place an executable file into our start up, so all the time since the break in this mystery program has been running.

We had a brief look at the program, but it appears to require a valid username and password combination. To find out what the program has been doing, we will need to gain access. Therefore, we have assigned you the task of examining the program and finding a valid username/password combination. Once you have got one, enter it into your mission conclusion and we shall take it from there.

Good luck apok.

It has been a few days after my last solution, I’ve been kind of busy. Now it’s time for reverse engineering. They give us an executable file and we need to get the right username/password combination. You can download the executable directly from Mod-X web page or from here (this last one is a personal account).

CRC32: 49C456F3

MD5: E6AC16B2EE0188E027D98BC1D0859381

SHA1: 5AC6903536F7541279AF8793AF43A7D8250A6460

I usually run the binary to see how it looks and if I can get some clues.

If you enter nothing on the text boxes the crackme shows a warning box and closes, the same happens if you enter the wrong username/password combination. Time to use our reversing arsenal.

First at all I’ll check it using a packer detector so I can get an idea of what is going on and what we are facing:

Well, it’s a native VB. Fire up your favorite VB Decompiler and you will find out a very nasty code (ok, I admit it, VB it is not my favorite) open the event corresponding to the button click and you will get something like this:

crackme code

Visual Basic

1

2

3

4

5

6

7

8

PrivateSubCommand1_Click()'402AA0

loc_00402AE5:var_eax=arg_8.AddRef'Ignore this

loc_00402B82:On ErrorResumeNext

loc_00402B92:var_eax=Form1.Text1'Ignore this

loc_00402BB2:var_A4=Text1.Text

loc_00402BDC:var_B0=var_A4

loc_00402BFE:var_90=var_A4

...

This could seem difficult if you are not used to it, but it is not that hard.

From 00402BB2 to 00402C8B is just retrieving the strings from the two text boxes.

00402D0D to 00402D29 verifies if the user has entered text in the text boxes.

00402D85 here is an interesting part, now we know the user name must be 6 characters long.

Java

1

2

if(nameLen!=6)

return;

00402E59 to 0040309B is a simple for, all what it does inside is turning the username around so if my input was Apok I would get kopA at the end of the for loop. Easy, right?

Java

1

2

3

4

for(inti=1;i<=nameLen;i++){

letter=name.charAt(nameLen-i);

nName+=letter;

}

004030F1 to 004032C3 it is hardcoding a string. It is converting some decimal values to their corresponding ASCII values. At the end the string is containing “trautS”. See it? Let’s do it clearer:

116 = “t”

114=”r”

97=”a”

117=”u”

116=”t”

83=”S”

004032F2 now it is checking if my username match the hardcoded string. So now we know the username. Let’s go on,

Java

1

2

if(!nName.equals(hardcodedName))

return;

0040337E to 00403494 This for loop is just getting every single character from the username and converting it to an hexadecimal number.

Java

1

2

3

4

for(inti=0;i<name.length();i++){

letter=name.charAt(i);

nName+=Integer.toHexString(letter);

}

004034F5 to 004036BD the hexadecimal numbers from the previous for loop are converted into string, but previously the string is turned around again.

Java

1

2

3

4

for(inti=nName.length();i!=0;i--){

letter=nName.charAt(i-1);

tmp+=letter;

}

One more graphical way:

004036D5 does our password match to the previous calculated password? if it does then we got access to a remote terminal (actually it is just a message box saying that). So, we got the username and the password:

Username: Stuart

Password: 472716574735

I translated the whole Visual Basic code into a language which I felt more comfortable (Java), you can get it from here.